Link: Scribd fullscreen link from suspicious sender
Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.
Sublime rule (View on GitHub)
1name: "Link: Scribd fullscreen link from suspicious sender"
2description: "Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(body.links,
9 (
10 .href_url.domain.root_domain == "scribd.com"
11 or strings.icontains(.href_url.query_params, 'scribd.com')
12 or strings.icontains(.href_url.query_params, 'scribd%2ecom')
13 or strings.icontains(.href_url.query_params, 'scribd%252ecom')
14 )
15 and strings.icontains(.href_url.fragment, 'fullscreen')
16 )
17 and not profile.by_sender_email().any_messages_benign
18tags:
19 - "Attack surface reduction"
20attack_types:
21 - "Credential Phishing"
22tactics_and_techniques:
23 - "Free file host"
24 - "Social engineering"
25 - "Evasion"
26detection_methods:
27 - "URL analysis"
28 - "Sender analysis"
29id: "9e9bc972-d4e1-5bd0-96bc-b8b10e74b02a"